Solved: How to extract field values from a log record incl... - Splunk Community

Getting Data In

hi all,

we have data records like

posLabel=monitoring field posData=51.02 55.56 msg=xxxx

where variables' content include blanks.

my questions:

how can I advise splunk to include the entire string (incl. blanks)
to a variable. in this example, to assign "monitoring field" to variable
posLabel and "51.02 55.56" to posData?
is there any escape character defined to prevent that a "=" character
in my data becomes interpreted as a new variable namen?
for example, in case of "posData=x=5,y=9 " the value of posData
should be "x=5,y=9", and no x and y variables should become created.

thanks for any link or sample code.

best, and thanks to all
Caspar

1 Solution

Solution

Like this:

props.conf:

[mySourceType]
TRANSFORMS-mySourceType = mySourceTypeKVPs

transforms.conf:

[mySourceTypeKVPs]
REGEX = ([^\s\=]+)=([^=]*)(?:\s+|$)
FORMAT = $1::$2
MV_ADD = 1

View solution in original post

Solution

Like this:

props.conf:

[mySourceType]
TRANSFORMS-mySourceType = mySourceTypeKVPs

transforms.conf:

[mySourceTypeKVPs]
REGEX = ([^\s\=]+)=([^=]*)(?:\s+|$)
FORMAT = $1::$2
MV_ADD = 1

Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...